From version 8.1
edited by Cyril Dangerville
on 2023/09/13 19:44
Change comment: There is no comment for this version
To version 9.1
edited by Cyril Dangerville
on 2023/09/13 19:56
Change comment: There is no comment for this version

Summary

Details

Page properties
Content
... ... @@ -15,13 +15,11 @@
15 15  - AuthZForce also provides a minimal single-tenant RESTful PDP API server that web clients can call to request authorization decisions, etc. This API is provided by //**AuthzForce RESTful PDP**// [[~[~[image:https://camo.githubusercontent.com/400c4e52df43f6a0ab8a89b74b1a78d1a64da56a7848b9110c9d2991bb7c3105/68747470733a2f2f696d672e736869656c64732e696f2f62616467652f4c6963656e73652d47504c76332d626c75652e737667~|~|alt="License badge"~]~]>>https://opensource.org/licenses/gpl-3.0]], [[~[~[image:https://img.shields.io/docker/pulls/authzforce/restful-pdp
16 16  ~|~|alt="Docker badge"~]~] >>https://hub.docker.com/r/authzforce/restful-pdp/]].
17 17  
18 -//If you are interested in using the Web API, go to [[AuthzForce Server project>>http://gitlab.ow2.org/authzforce/server]].//
19 -
20 20  = (% style="font-weight:normal" %)__**AuthzForce Features**__(%%) =
21 21  
22 22  == PDP (Policy Decision Point) ==
23 23  
24 -//**Applies to AuthzForce Core and AuthzForce Server.**//
22 +//**Applies to AuthzForce Core, AuthzForce RESTful PDP, and AuthzForce Server.**//
25 25  
26 26  AuthzForce provides XACML PDP features:
27 27  
... ... @@ -33,23 +33,38 @@
33 33  ** [[Algorithms planned for future deprecation>>http://docs.oasis-open.org/xacml/3.0/xacml-3.0-core-spec-os-en.html#_Toc325047257]].
34 34  * [[XACML v3.0 Core and Hierarchical Role Based Access Control (RBAC) Profile Version 1.0>>http://docs.oasis-open.org/xacml/3.0/rbac/v1.0/xacml-3.0-rbac-v1.0.html]]
35 35  * [[XACML v3.0 Multiple Decision Profile Version 1.0 - Repeated attribute categories>>http://docs.oasis-open.org/xacml/3.0/multiple/v1.0/cs02/xacml-3.0-multiple-v1.0-cs02.html#_Toc388943334]] (##urn:oasis:names:tc:xacml:3.0:profile:multiple:repeated-attribute-categories##).
34 +* [[XACML v3.0 - JSON Profile Version 1.0>>http://docs.oasis-open.org/xacml/xacml-json-http/v1.0/xacml-json-http-v1.0.html]], with extra security features:
35 +** JSON schema [[Draft v6>>https://tools.ietf.org/html/draft-wright-json-schema-01]] validation;
36 +** DoS mitigation: JSON parser variant checking max JSON string size, max number of JSON keys/array items and max JSON object depth.
36 36  * [[XACML 3.0 Additional Combining Algorithms Profile Version 1.0>>http://docs.oasis-open.org/xacml/xacml-3.0-combalgs/v1.0/xacml-3.0-combalgs-v1.0.html]]: ##on-permit-apply-second## policy combining algorithm;
37 37  * Experimental support for:
38 38  ** [[XACML Data Loss Prevention / Network Access Control (DLP/NAC) Profile Version 1.0>>http://docs.oasis-open.org/xacml/xacml-3.0-dlp-nac/v1.0/xacml-3.0-dlp-nac-v1.0.html]]: only ##dnsName-value## datatype and ##dnsName-value-equal## function are supported;
39 39  * [[XACML v3.0 Multiple Decision Profile Version 1.0 - Requests for a combined decision>>http://docs.oasis-open.org/xacml/3.0/xacml-3.0-multiple-v1-spec-cd-03-en.html#_Toc260837890]] (##urn:oasis:names:tc:xacml:3.0:profile:multiple:combined-decision##).
40 40  
42 +* [[GeoXACML 1.0>>http://portal.opengeospatial.org/files/?artifact_id=42734]] (Open Geospatial Consortium) support: see [[this AuthzForce extension from SecureDimensions>>https://github.com/securedimensions/authzforce-geoxacml-basic]].
43 +* [[GeoXACML 3.0 Core (draft)>>https://docs.ogc.org/DRAFTS/22-049.html]] (Open Geospatial Consortium) support: see [[this AuthzForce extension from SecureDimensions>>https://github.com/securedimensions/authzforce-ce-geoxacml3]].
44 +* [[GeoXACML 3.0 JSON Profile 1.0 (draft)>>https://docs.ogc.org/DRAFTS/22-050.html]] (Open Geospatial Consortium) support: see [[this AuthzForce extension from SecureDimensions>>https://github.com/securedimensions/authzforce-ce-geoxacml3]].
45 +* Support <VariableReference> (indirectly) in <Target>/<Match> elements: this feature is a workaround for a limitation in XACML schema which does not allow Variables (<VariableReference>) in Match elements; i.e. the feature allows policy writers to use an equivalent of <VariableReference>s in <Match> elements (without changing the XACML schema) through a special kind of <AttributeDesignator> (specific Category, and AttributeId is used as VariableId). More details in the Usage section below.
46 +
41 41  : //For further details on what is actually supported with regards to the XACML specifications, please refer to the [[Feature page>>https://gitlab.ow2.org/authzforce/fiware/-/blob/master/doc/Features.md]].//
48 +:
49 +:
42 42  
51 +(((
52 +=== //Enhancements to the XACML standard// ===
53 +)))
54 +
43 43  === //Security// ===
44 44  
45 -* Detection of circular XACML policy references (##PolicyIdReference##/##PolicySetIdReference##);
46 -* Control of the **maximum XACML ##PolicyIdReference##/##PolicySetIdReference## depth**;
47 -* Control of the **maximum XACML ##VariableReference## depth**.
57 +* Detection of circular XACML policy / variable references (##PolicyIdReference##/##PolicySetIdReference/VariableReference##);
58 +* Control of the **maximum XACML ##PolicyIdReference##/##PolicySetIdReference/VariableReference## depth**.
48 48  
49 49  === //Performance// ===
50 50  
51 51  * Optional **strict multivalued attribute parsing**: if enabled, multivalued attributes must be formed by grouping all ##AttributeValue## elements in the same ##Attribute## element (instead of duplicate ##Attribute## elements); this does not fully comply with [[XACML 3.0 Core specification of Multivalued attributes (§7.3.3)>>http://docs.oasis-open.org/xacml/3.0/xacml-3.0-core-spec-os-en.html#_Toc325047176]], but it usually performs better than the default mode since it simplifies the parsing of attribute values in the request.
52 52  * Optional **strict attribute Issuer matching**: if enabled, ##AttributeDesignators## without ##Issuer## only match request ##Attributes## without Issuer (and same ##AttributeId##, ##Category##...); this option is not fully compliant with XACML 3.0, §5.29, in the case that the ##Issuer## is indeed not present on a ##AttributeDesignator##; but it is the recommended option when all ##AttributeDesignator##s have an ##Issuer## (the XACML 3.0 specification (5.29) says: //If the Issuer is not present in the attribute designator, then the matching of the attribute to the named attribute SHALL be governed by AttributeId and DataType attributes alone.//);
64 +* **Optimal integer data-type** implementation: the maxIntegerValue configuration parameter (expected maximum absolute value in XACML attributes of type http:~/~/www.w3.org/2001/XMLSchema#integer) helps the PDP choose the most efficient Java data-type. By default, the XACML/XML type http:~/~/www.w3.org/2001/XMLSchema#integer is mapped to the larger Java data-type: BigInteger. However, this may be overkill for example in the case of integer attributes representing the age of a person; in this case, the Short type is more appropriate and especially more efficient. Therefore, decreasing the maxIntegerValue value as much as possible, based on the range you expect your integer values to fit in, makes the PDP engine more efficient on integer handling: lower memory consumption, faster computations.
65 +* **Pluggable Decision Cache**: you can plug in your own XACML Decision Cache mechanism to speed up evaluation of (repetitive) requests. See down below for more info (Decision Cache extension).
53 53  
54 54  === //Attribute sources a.k.a. PIPs (Policy Information Points)// ===
55 55  
... ... @@ -97,6 +97,12 @@
97 97  * Supported data formats: JSON, XML, [[Fast Infoset>>http://www.itu.int/en/ITU-T/asn1/Pages/Fast-Infoset.aspx]] .
98 98  * Defined in standard [[Web Application Description Language and XML schema>>https://gitlab.ow2.org/authzforce/rest-api-model/tree/develop/src/main/resources]] so that you can automatically generate client code.
99 99  
113 +//**Applies to AuthzForce RESTful PDP only.**//
114 +
115 +* Provides access to all PDP features mentioned in previous sections.
116 +* Conformance with [[REST Profile of XACML v3.0 Version 1.0>>http://docs.oasis-open.org/xacml/xacml-rest/v1.0/xacml-rest-v1.0.html]]
117 +* Supported data formats: JSON, XML.
118 +
100 100  == High availability and load-balancing ==
101 101  
102 102  //**Applies to AuthzForce Server only.**//